HSM Commands Click to View
Find HSM Commands…
HSM SafeNet 2.1.0
-
HSM SafeNet 2.1.0 Manual :
-
Download HSM SafeNet Manual and Configuration Documents :
- Download HSM Manual
- Download HSM Configuration Document ( Auther : Usman Mughal )
- Download HSM KMC Configuration
- Download HSM KEYS Configuration
- Download HSM Backup Through Luna
- Download HSM Java (jdk) Configuration to access EFT WEB
- Download HSM KIR Configuration
- Download Remote HSM Backup and Restore
- Download HSM Web Configuration Documents
- HSM COMMANDS
-
-
HSM SafeNet 2.1.0 Related Software’s :
- Download Putty :
- Download PSCP :
- Download Safe Net Authentication Client
-
HSM SafeNet 2.1.0 Packages :
-
Download HSM SafeNet Packages to update HSM (HSM SafeNet 2.1.0)
- Download Host Name Package (630-010635-001_Hostname)
- Download Portal Package (630-010666-001_portal)
- Download EFT2_Patch_SmartCard_BulkTransfer Package (EFT2_Patch_SmartCard_BulkTransfer)
-
What is HSM ? and How it is Working ?
What is a HSM (Hardware Security Module) :
A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.
Using HSM You Can
- Address compliance requirements with solutions for Blockchain, GDPR, IoT, paper-to-digital initiatives, PCI DSS, digital signatures, DNSSEC, hardware key storage, transactional acceleration, certificate signing, code or document signing, bulk key generation, data encryption, and more.
- Keys are generated, and always stored in the intrusion-resistant, tamper-evident, FIPS-validated appliance, providing the strongest levels of access controls.
- Create partitions with a dedicated Security Office per partition, and segment through admin key separation.
Why UseHSM (Hardware Security Module) :
Enterprises buy hardware security modules to protect transactions, identities, and applications, as HSMs excel at securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications.
Basic Structure :
We have three Sub user to control HSM each user have its own Role.
1 – Admin :
Responsible to control Administration of HSM, Admin have two Stake Holder, Each Stack Holder have its own Unique Key (USB founded in HSM Box , working as a Password)
1.1 – EFT Admin :-
Responsible for Creating partitions and its users and also use to decommission the HSM
after decommission HSM will return to 0 (fresh State) .
hsm de its a command to get back to HSM as New or in Zero (0) Condition
2 – Partition Owner :
Responsible all type of HSM Configuration and Updation
- Responsible to Configuration of keys
- Deletion and insertion of Keys
- Can update the Patches of HSM
- Generation of Certificates
- Change there Date and time
- Partition Owner also have two Stake Holder, Each Stack Holder have its own Unique Key (USB founded in HSM Box , working as a Password)
3 – Auditor :
A Luna HSM Audit role allows complete separation of Audit responsibilities from the Security Officer (SO or HSM Admin), the Partition User (or Owner), and other HSM roles. If the Audit role is initialized, the HSM and Partition administrators are prevented from working with the log files, and auditors are unable to perform administrative tasks on the HSM.
For Luna HSMs with Password Authentication, the auditor logs into the HSM to perform his/her activities using a password.
For Luna HSMs with PED Authentication, the auditor logs in to perform his/her activities using a white PED Key. The Audit feature works only with Luna PED version 2.5.0-1 or newer. Older versions of PED firmware are not aware of the Audit role and Audit Key.
Audit initialization – creating the Auditor role (and imprinting the white PED Key for PED authenticated HSMs) does not require the presence or cooperation of the HSM SO.
Basic Commands HSM.
- Login
- here you can select user to Execute functions.
- Support
- Key Management (Restore, Backup, Define and Delete)
- Restore all keys at a time
- restore and backup also done by remote on internet connection
- KeyMgmt
- Use for Insertion, Updation and Deletion of KEYS
- Sysconfig
- System level changes (like Date-time etc)
Two Steps To Configure HSM:
- Console Configuration
- Web ssl Configuration
How to Configure HSM SafeNet ?
Console Configure HSM SafeNet
-
- Start Puttyfor windows and minicom for linux
-
- Putty:
- select Serial and write COM in text bar and set
- Minicom:
- select su in terminal
- write minicom -s
- Configure Mini Com select Serial Port Setup
- Press A and Type /dev/ttyUSB0
- Press E and select 115200 8n1
- Set Hardware Flow Control = Yes
- Select Save setup as dfl
- Select Exit
- Press Enter.
- Write Admin and its Password
- username: admin
- password: xxxxxx
- Set Date/Time Setup
- Putty:
Command: status date or status time (view date and time) Command : sysconfig timezone set GMT Command : sysconfig time 22:59 20170319
-
- Initialize HSM
Command : hsm eftinit
Insert Purple Activation USB eToken Activation eToken PIN: xxxxxxx
first EFT Administrator: xxxxxx Insert Blue eToken HSM Admin 1 admin1 PIN: xxxxxx
second EFT Administrator: xxxxxx Insert Blue eToken HSM Admin 2 admin2 PIN: xxxxxx
first EFT Auditor: xxxxxx Insert White eToken HSM Audit 1 audit1 PIN: xxxxxx
second EFT Auditor: xxxxxx Insert White eToken HSM Audit 2 audit2 PIN: xxxxxx
-
- Start Puttyfor windows and minicom for linux
-
- Activate the HSM
Command : hsm activate
- Activate the HSM
- Update Network Configuration
Command: sysconfig network interface show Command: login eftadmin Command: sysconfig network interface static -device eth0 -ip 10.33.31.119 -netmask 255.255.255.0 -gateway 10.33.31.254
- Change Host name
Command: sysconfig network hostname luna_eft2_pin1 (Optional, not required in v2.1.0)
- HSM Activate
Command: hsm activate
- Insert Activation e-token.
- Enter PINas mentioned
- Generating Luna EFT Administration Console Certificate
Command: login eftAdmin
- ViewMode of certification
Command: sysconfig SSLMgmt viewmode
- Settingcertificate mode to Self signing
Command: sysconfig SSLMgmt setmode -mode Self_Signed
- Generate a Certificate
Command: sysconfig certMgmt generate -modulus 2048new Command: sysconfig certMgmt generate -modulus 2048 -subject "/CN=Luna EFT/O=HabibMetro/OU=Information Technology/C=PK/ST=Karachi/L=Karachi/emailAddress=rao.bilal@habibmetro.com"
- View Certificate
-
command:sysconfig certMgmt view
-
- Export Certificate
-
command: sysconfig certMgmt export -type server
-
- NOTE: if you want to change Certificatejust update it with same query mentioned in 2
- ViewMode of certification
- CreatingPartition Users
-
Command : Login EFTadmins
-
Command: sysconfig partition create -partition part1 -f -size 12000000
- Partition Name: xxxxxx
- Partition user 1: xxxxxx
- password: xxxxxx
- Partition user 2: xxxxxx
- password: xxxxxx
- Note: you can write any name for user.
-
- Delete partitionUser
-
command: sysconfig partition delete -partition part1
-
- How to do Smart Card Key Restore
- Define KTP on index 1
-
Command: keyMgmt generate hsm ktp -index 1 -clearComp 2 -encryptedComp 0 -algo DES -keyLen 2
- Component 1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(Defined while creating backup)
- Component 2:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(Defined while creating backup)
- KCV:40826A (KVC always be same as you get while taking backup)
-
- Define KTP on Index 2
-
Command: keyMgmt generate hsm ktp -index 2 -clearComp 2 -encryptedComp 0 -algo AES -keybit 256
- Component 1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx…. (Defined while creating backup)
- Component 2:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx… (Defined while creating backup)
-
- Set Index for Restore Backup
-
Command : keyMgmt activate ktp -index 2
-
- View ktp
-
Command : keyMgmt view hsm ktp -index 2 Command : keyMgmt view hsm ktp -index 1 - 50
-
- Note: Algo DES is defined on index 1 and Algo AES defined on index 2
- Define KTP on index 1
WEB Configure HSM SafeNet
How to Configure HSM EFT Web ?
- open url/eftweb (https://10.0.0.1/eftweb)
- login as Partition Owner
- Click Payment Configuration
- Click settings
- do KL=KR check is disabled
- Allow DES must enable
- then click save
- Click System Configuration
- Click Host Configuration and add ips you want to White List (that ip can access the HSM) and save it.
- Then click Host Services
- Set Port as shown in image and save
- Click Host Configuration and add ips you want to White List (that ip can access the HSM) and save it.
- Click settings
How to Restore Smart Card Keys in HSM
Restore Smart Card Keys:
- prerequisite
- ensure that KL=KR check is disabled, (Check in EFTWeb, log in as Partition Owner (link = https://10.0.0.1/eftweb)
- Allow DES must enable
- Commands:
-
Command : support restore smartcard -cardsetid uathsm -force -- For 2.0and lower Version
-
Command : support restore smartcard -cardsetid PAK2018 -force -data KEYS -- For HSM 2.1.0version to restore keys
-
Command : support restore smartcard -cardsetid "#EFT1X" -data KM -i 1 -- For HSM 2.1.0version to Master key
-
Like!! Great article post.Really thank you! Really Cool.
Can I simply just say what a relief to find an individual who actually understands what they’re discussing on the web. You actually understand how to bring a problem to light and make it important. A lot more people ought to read this and understand this side of your story. I can’t believe you are not more popular since you surely possess the gift.
wow, awesome blog post.Really looking forward to read more. Cool.
Good read
Amazing post
Perfect as usual
Another good post